My first post, so please gently correct if my manners are out of line.

Like the title says, I've implemented IPSec (kernel) support for Shibby's TomatoUSB builds. Both IPv4 and IPv6 are supported, and IPv6 support is only included if you've enabled IPv6 support in your build. I've added the "x" build targets for all-in-one plus IPSec, or you can add "IPSECSUPP=y" to whatever target you like. It only works on K26 builds, and like the patch says I've only tested it on an Asus RT-N66u. But I *have* tested it, and it works. It adds a little under 57k to the resulting image.

Right now you'll need entware strongswan4-* packages to use it, or compile your own…optware packages don't work due to a broken libhydra dependency at the moment. The kernel option changes are following the Required Kernel Modifications on the strongswan wiki.

Someone please tell me who I should throw this patch at to get it into the official tomato repository. :-)

i have a better idea. If i good see, the patch will add only some of kernel modules into build. Maybe better solution will be export all ipsec`s modules to extras.tar.gz file? Then anyone will use strongwan, not only AIO users.

That was my idea at first, too, but it won't work. All of the ipsec-related modules require the CONFIG_XFRM option to be set to "y" (not built as a module), which it is not. You'll have to change the config somehow, in either case.

Also, anyone can use IPSec, not just AIO: you just need to add "IPSECSUPP=y" to the make build line, the same way VPN support used to be selected. I've just made some example build targets that include it automatically.

However, a halfway solution, that keeps the main changes small and puts as much in extras.tar.gz as possible, would be to enable the CONFIG_XFRM=y kernel config (it adds 8k to the resulting image) and compile all modules separately into the extras.tar.gz. The crypto modules are actually already in the extras directory during the build; it wouldn't be difficult to add the ipsec ones there as well.

I'll create a new patch that adds the baseline support (CONFIG_XFRM=y) for loading the ipsec modules on *every* K26 build and building the modules into the extras directory (so it can be added via optware/entware/extras/whatever), *unless* you specifically ask for IPSec support in which case they're bundled with the image. Sound good?

The ability to load external IPSec modules (the CONFIG_XFRM=y kernel parameter) is always built in to K26 builds. Other than costing 8k, it really shouldn't break anything in any build. The IPSec modules (including crypto modules) are always built and put into extras (ipv6 versions only built if ipv6 support is compiled in). If you specify "IPSEC=y" to the bin target, it will also bundle those with the image.

The first three lines are necessary to remove the directory if there's nothing in it, or you'll have empty directories in /lib/modules/2.6.22.19/kernel. I followed the same method that the NEED_EX_USB logic used, above it. However, I made mistakes in the last two — they should say /kernel/net/xfrm and /kernel/net/key. You've fixed the rest. :-) The libcrc32c module isn't actually needed, so you can just reverse this part in the patch to get rid of it if you want:

One more thing…I missed that you need to build the libipt_policy.so extension in iptables. Here's a patch that builds it and plops in in extras, also embedding in the image if IPSEC=y is supported. Against your latest HEAD.

One more, more thing. I've pulled down your patch, and it's broken — you forgot to include the bit about adding TCONFIG_IPSEC in router/config/config.in — without it, the "IPSEC=y" option doesn't work. Looking above, I neglected to include that part. My bad. :-( It was in a later commit of mine. I tested that you *are* able to just pull in the extras and IPSec works, though. Anyway, here's what you need to have it actually roll into the image: